Share This Page

Hi there, this is a tutorial for FW-spoofing game updates for N3DS users, for game updates that require 9.6+ as we cannot update emunand past 9.5 yet.

As I could not find an actual step-by-step tutorial on doing this I figured I would make one.

This may not be needed if you are using Gateway as their FW-spoofing might already take care of spoofing FW properly for game updates. In case it is needed though then you should be able to follow this tutorial to get game updates working.

When I asked people it didn't seem FreeMultiPatcher was working for spoofing game updates, so this is the main reason for this tutorial. If it -does- work, though, then this tutorial isn't completely needed.
However, having to run FMP every time you start up your 3DS can be annoying, and this allows you to skip that entirely. You'll be able to install your game updates and they'll just -work-.

Note this is only for N3DS users. O3DS users can update their emunand to the latest firmware and everything should run fine.

When attempting to run a game with an update installed that requires a firmware above 9.5 to run, it will not run, either giving you a never-ending 3DS logo loading screen, or it will load but black screen and possibly give you a black screen error message telling you an error has occurred and making you force-power off your 3DS.

It was only recently that game updates started showing up that required 9.6+ FW to run, so there isn't very much info on this and a lot of people don't even know that there even are updates that require 9.6+ to run (it doesn't seem like anyone has uploaded FW-spoofed versions of game update .cias online yet either.)
So chances are, you will have to FW-spoof it yourself.

For this, you will need:
- Decrypt9
- PackHack (Google it, original download contains slot0x25KeyX.bin which I don't want to link to.)
- HxD (or any other Hex Editor)
- makerom, reuploaded to my dropbox for your convenience (I found it unusually difficult to find it back when I needed it and had to find it.)
- If you are doing this on an O3DS sysnand < 7.x : slot0x25KeyX.bin at the root of your SD card (shouldn't be a problem as the people who will be doing this are N3DS users.)

---

Step 1: Getting the game update

Get your game update .cia which requires 9.6+ to run. I don't have a list of which game updates require 9.6+ to run, but a few that I know of are, Codename S.T.E.A.M., The Legend of Zelda: Triforce Heroes and Fire Emblem: if

For this tutorial I will be using Codename S.T.E.A.M. v1.2.0 game update.

Use your Google-fu to find the updates online.

Once you have your game update, create a folder named D9Game at the root of your SD card and copy the game update over to that folder.

Warning: Spoilers inside!

---

Step 2: Decrypting the game update and unpacking it

To decrypt the game update, I use Decrypt9. Download it from the links at the beginning of this tutorial and install it using whichever method suits you best. I personally recommend using the .3dsx version as it is the easiest to set up.

You will have to run it from sysnand. It will not work from within emunand.

If you are using CTRBootManager to autoboot into your favourite CFW, you will need to abort CTRBootManager's autoboot function and then select homebrew launcher. You can add Decrypt9 to sdmc:/3ds/ just like you would any homebrew and run it from HBL, or you can add it directly as an entry in CTRBootManager which in my opinion is more convenient.

Here is a sample boot.cfg for CTRBootManager which will allow you to run Decrypt9 directly from it:

Note: this configuration file will make CTRBootManager autoboot into rxTools, and to access any of the other boot options, you will have to hold L while menuhax is running until you get to the CTRBootManager menu.

Place Decrypt9WIP.3dsx at the root of your SD card.

Warning: Spoilers inside!

Once you have all of this, you should be set to decrypt the game update.

Boot into CTRBootManager's boot menu by holding L and select Decrypt9. Remember this will only work if it is run from sysnand, and only if sysnand is 9.2 or lower.

Once in the Decrypt9 menu, you want to select "Game Decryptor Options", then "CIA Decryptor (deep)"
It will work its magic and the game update .cia will be decrypted. You can now turn off your 3DS.

Get PackHack and extract it somewhere on your computer. Copy the decrypted game update back to your computer and place it in the same folder as HackingToolkit.exe

Warning: Spoilers inside!

Then run HackingToolkit.exe

Enter "cia", then type in the filename of your game update without the file extension as instructed.
When it asks you if you want to decompress the code.bin file, enter y (yes)
It will unpack the update .cia and give you a DecryptedExeFS.bin, DecryptedExHeader.bin, DecryptedManual.bin and DecryptedRomFS.bin, along with an exe and romfs folder.

---

Step 3: Editing the Exheader

In order to FW-spoof the game update, you will have to edit the DecryptedExHeader.bin

Start up HxD and open DecryptedExHeader.bin

Edit the two bytes at 0x39C and the two bytes at 0x79C to 21 02 then save the file.

This will spoof the game update as having a minimum firmware requirement of 4.0 (? or at least somewhere in the 4.x range)

Warning: Spoilers inside!

---

Step 4: Repacking the files into a .cia

Once you've edited the exheader, the update will be FW-spoofed as requiring a minimum firmware of 4.x to run, so it should work normally now. But you still need to repack it into an installable .cia before you can actually use it.

You will need to edit a few things in the RSF file. Most of its contents aren't very important, but you may need to change the Product Code, UniqueId and Category.

As we'll all be doing this with patch files you don't need to change the Category as it's already set to Patch. You should however change the UniqueId and the Product Code to match the original game update .cia

To get those, head over to 3dsdb.com and search for your game's name.
For Code Name S.T.E.A.M., the UniqueID is 0004000000132500 and the Product Code is CTR-P-AY6A

The RSF file uses the last 8 digits of the UniqueID minus the last two 0's, and the Product Code for game updates is the same as the Product Code for the actual game, except the P is replaced with an U.

So, for Code Name S.T.E.A.M., the UniqueId in the RSF file will be changed to 0x01325 and its Product Code will be changed to CTR-U-AY6A.

Shift-right-click on the background of the makerom folder and select "Open command window here" to open a CMD window in makerom's directory.

Warning: Spoilers inside!

Copy/paste the commands and run them. You should now have an update.cia in makerom's folder.

The only thing left to do is install it with your favourite CIA manager, and it should run properly!

Note: I have not tested this myself, as I don't have a N3DS let alone an exploitable one, and I don't have any of the games that have an update that requires 9.6+ so I can't personally test it to see if it works. However, the person who needed a FW-spoofed Code Name S.T.E.A.M. 1.2.0 update tested it for me and reported that it was working.

If things aren't working for you, unfortunately I can't mess around with things in hopes of figuring out the problem. But this should work for any game update that requires 9.6+ to run.

That's what I was thinking of, downloading the latest eShop CIA from 3DNUS and spoofing it, it should be able to install it on EmuNAND and access to eShop without HANS or FMP, just installing latest FW Spoofed eShop and nVer/cVer (Can't remmember right now which one is necessary, cVer should be) on any N3DS with any CFW :3 can someone try this?

Quick question, I'm at the end of step 2. After using Decrypt9, the 3DS screen shows a message that the .cia was successfully decrypted and checking in the D9Game folder, I see only one .cia file. Comparing its MD5 to the original untouched .cia shows that it has indeed been modified. After I move this .cia file to the PackHack folder and running HackingToolkit.exe, I enter "cia", the name of the file (without the file extension), and then hit Y to confirm decompression code.bin, several lines of text quickly flash past (too quick to read), and I'm taken back to the HackingToolkit main menu. Looking in the folder, no files have been generated. There is no DecryptedExHeader.bin anywhere to be found. Am I doing something wrong here?

Details abridged:

Warning: Spoilers inside!

EDIT:
Entering nonsense filenames in HackingToolkit gives the exact same result as entering the actual name of my .cia file. Looks like it's not even detecting the update .cia or something.

EDIT2:
Actually, where does Decrypt9 even save the decrypted .cia file anyway? I've set it up so that my update.cia is in a D9Game folder at the root of my SD. After supposedly decrypting the .cia, there's just the update.cia in the same folder. Nothing's seemingly changed. Is Decrypt9 supposed to output the decrypted .cia at the same location as the original .cia, with the exact same name? Or does it place it somewhere else that I'm not aware of? At the moment I can't tell whether it's Decrypt9 that isn't properly working or if it's HackingToolkit.exe that's up to mischief.

EDIT3:
I was able to get a screenshot of the errors that flash up in HackingToolkit. It says:
The system cannot find the file specified.
'C:\Users\Admin' is not recognized as an internal or external command, operable program or batch file.
Could Not Find C:\Users\Admin\Downloads\PackEnglishV4.3\PackHack\DecryptedPartition1.bin
C:\Users\Admin\Downloads\PackEnglishV4.3\PackHack\DecryptedPartition2.bin
C:\Users\Admin\Downloads\PackEnglishV4.3\PackHack\DecryptedPartition6.bin
C:\Users\Admin\Downloads\PackEnglishV4.3\PackHack\DecryptedPartition7.bin
C:\Users\Admin\Downloads\PackEnglishV4.3\PackHack\DecryptedPartition0.bin

EDIT4:
I suspect that it's Decrypt9 that's not working. Even though it says that the .cia was successfully decrypted, the file I find in D9Game has the exact same file size as the input file. Even though it has a different MD5, everything else about it is absolutely identical to the original file. And it doesn't help that HackingToolkit doesn't give any indication if a .cia is broken or still encrypted. Hell, it doesn't even tell you if the specified file is nonexistent!

EDIT5:
Tried using Decrypt9UI. Doesn't even start up and just hangs at a black screen. Tempted to just delete everything and give up at this point.

EDIT6:
Managed to get Decrypt9UI running on 5th attempt. Exact same result. Generates an identical file at the exact same location with the same name and file size but different MD5. When HackingToolkit.exe is applied absolutely nothing happens and no further files are generated.

EDIT7:
Attempted to extract using ctrtool instead, it threw up a ton of errors about wrong key. Looks like Decrypt9 is definitely the culprit here. Tried uninstalling, cleaning all related files, reinstalling, re-readint tutorials, re-decrypting but it's always the exact same result. Decrypt9 is being stubborn and not working. Giving up for today, wasted enough time on this already.

EDIT (final):
It looks like the problems were being caused by Windows OS on my end, it was interfering with how hackingtoolkit was working and generally wreaking havoc. Case somewhat closed, for now.

Decrypt9 just decrypts the .cia, keeps the same file.
It'll remain the same size and the same name because it's the same file with the same contents, just decrypted. Encryption != compression, file size wouldn't change.

Are you sure you are selecting CIA Decryptor (deep)? (shallow) won't work, and I'm not entirely sure what the (for GW) one does.

Decrypt9 just decrypts the .cia, keeps the same file.
It'll remain the same size and the same name because it's the same file with the same contents, just decrypted. Encryption != compression, file size wouldn't change.

Are you sure you are selecting CIA Decryptor (deep)? (shallow) won't work, and I'm not entirely sure what the (GW) one does.

Click to expand...

I've been using the deep option, the log output shows no errors or anything.

I'm going to try and see if i run into the same problem. For the time being there -could- be a possibility that your update .cia got corrupted while you were copying it over to your SD card. Not sure if Decrypt9 would throw an error if that was the case.

Yeah the game update for smash is quite large compared to every other game update so that might cause problems. But I'm pretty sure Decrypt9 is supposed to be able to decrypt even regular came .cias which can be even larger.

Yeah the game update for smash is quite large compared to every other game update so that might cause problems. But I'm pretty sure Decrypt9 is supposed to be able to decrypt even regular came .cias which can be even larger.

Well, it is working for me.
My theory is that there is a problem with your computer itself (or so the " 'C:\Users\Admin' is not recognized as an internal or external command, operable program or batch file. " line leads me to believe.)

Since I've already got the update downloaded here and extracted, I might as well just do the exheader editing and then I'll create a patch for you to apply to your update .cia

Well, it is working for me.
My theory is that there is a problem with your computer itself (or so the " 'C:\Users\Admin' is not recognized as an internal or external command, operable program or batch file. " line leads me to believe.)

Since I've already got the update downloaded here and extracted, I might as well just do the exheader editing and then I'll create a patch for you to apply to your update .cia

Also, my md5 for the decrypted .cia is 407a6db4a04ce11dec9545b294c6d87f
Might want to compare with yours. If it matches then we can rule out Decrypt9.

Might also want to make sure the .cia doesn't get slightly corrupted when copying over to the SD card, or making sure the decrypted one doesn't get slightly corrupted when transferring it back to the computer.

And last but not least, if you're using the built-in N3DS FTP file transfer, the chances of a file that large getting corrupted are much higher than if you were to actually plug the microSD card in directly.

Edit: Well anyway, if anyone's running into a similar issue, here's an xdelta patch you can apply to the EUR Smash 1.1.3 update. You will have to decrypt it with Decrypt9 first, but this should let you patch the exheader without having to use HackingToolkit, if for some reason the latter does not want to co-operate.

Attached Files:

Decrypt9 just decrypts the .cia, keeps the same file.
It'll remain the same size and the same name because it's the same file with the same contents, just decrypted. Encryption != compression, file size wouldn't change.

Are you sure you are selecting CIA Decryptor (deep)? (shallow) won't work, and I'm not entirely sure what the (for GW) one does.

Quick question, I'm at the end of step 2. After using Decrypt9, the 3DS screen shows a message that the .cia was successfully decrypted and checking in the D9Game folder, I see only one .cia file. Comparing its MD5 to the original untouched .cia shows that it has indeed been modified. After I move this .cia file to the PackHack folder and running HackingToolkit.exe, I enter "cia", the name of the file (without the file extension), and then hit Y to confirm decompression code.bin, several lines of text quickly flash past (too quick to read), and I'm taken back to the HackingToolkit main menu. Looking in the folder, no files have been generated. There is no DecryptedExHeader.bin anywhere to be found. Am I doing something wrong here?

Details abridged:

Warning: Spoilers inside!

EDIT:
Entering nonsense filenames in HackingToolkit gives the exact same result as entering the actual name of my .cia file. Looks like it's not even detecting the update .cia or something.

EDIT2:
Actually, where does Decrypt9 even save the decrypted .cia file anyway? I've set it up so that my update.cia is in a D9Game folder at the root of my SD. After supposedly decrypting the .cia, there's just the update.cia in the same folder. Nothing's seemingly changed. Is Decrypt9 supposed to output the decrypted .cia at the same location as the original .cia, with the exact same name? Or does it place it somewhere else that I'm not aware of? At the moment I can't tell whether it's Decrypt9 that isn't properly working or if it's HackingToolkit.exe that's up to mischief.

EDIT3:
I was able to get a screenshot of the errors that flash up in HackingToolkit. It says:
The system cannot find the file specified.
'C:\Users\Admin' is not recognized as an internal or external command, operable program or batch file.
Could Not Find C:\Users\Admin\Downloads\PackEnglishV4.3\PackHack\DecryptedPartition1.bin
C:\Users\Admin\Downloads\PackEnglishV4.3\PackHack\DecryptedPartition2.bin
C:\Users\Admin\Downloads\PackEnglishV4.3\PackHack\DecryptedPartition6.bin
C:\Users\Admin\Downloads\PackEnglishV4.3\PackHack\DecryptedPartition7.bin
C:\Users\Admin\Downloads\PackEnglishV4.3\PackHack\DecryptedPartition0.bin

EDIT4:
I suspect that it's Decrypt9 that's not working. Even though it says that the .cia was successfully decrypted, the file I find in D9Game has the exact same file size as the input file. Even though it has a different MD5, everything else about it is absolutely identical to the original file. And it doesn't help that HackingToolkit doesn't give any indication if a .cia is broken or still encrypted. Hell, it doesn't even tell you if the specified file is nonexistent!

EDIT5:
Tried using Decrypt9UI. Doesn't even start up and just hangs at a black screen. Tempted to just delete everything and give up at this point.

EDIT6:
Managed to get Decrypt9UI running on 5th attempt. Exact same result. Generates an identical file at the exact same location with the same name and file size but different MD5. When HackingToolkit.exe is applied absolutely nothing happens and no further files are generated.

EDIT7:
Attempted to extract using ctrtool instead, it threw up a ton of errors about wrong key. Looks like Decrypt9 is definitely the culprit here. Tried uninstalling, cleaning all related files, reinstalling, re-readint tutorials, re-decrypting but it's always the exact same result. Decrypt9 is being stubborn and not working. Giving up for today, wasted enough time on this already.

EDIT (final):
It looks like the problems were being caused by Windows OS on my end, it was interfering with how hackingtoolkit was working and generally wreaking havoc. Case somewhat closed, for now.

Click to expand...

I was having this exact same problem. In my case I realized the hackingtool application will not accept filenames with spaces. I renamed the update file to "update.cia" and everything works as expected.

This guide works on my downgraded N3DS XL running 9.5 emuNAND. Thanks!! Just one thing, could you give some more details on what the makerom commands are doing? I'm curious.

I was having this exact same problem. In my case I realized the hackingtool application will not accept filenames with spaces. I renamed the update file to "update.cia" and everything works as expected.

Click to expand...

I figured that the file name had issues, so I tried update.cia at that time, but it didn't change anything. Turns out the Windows OS was having issues, so it seems to be an isolated case on my end. Thanks anyway.

So I also tried this guide with Triforce Heroes 2.1.0 update. It works. The game screen shows v2.1.0 and I can load the game and play online. However, I still get the update notification on the homescreen. Any idea what may be causing this? Did I not patch something?